The Information Commissioner's Office is looking into possible privacy issues with Facebook's rollout of facial recognition technology, which came to light on Tuesday.

The Information Commissioner's Office is to look into Facebook's new facial recognition software, which attempts to match images to users' faces.Photo credit: Facebook

The UK data protection authority is talking to the social-networking company about its facial recognition technology, which scans photos uploaded to its site, attempts to match them to Facebook friends and then suggests usernames with which to tag the images. Facebook enables this feature by default, meaning that people must change their account settings if they do not want to be identified.

"As with any new technology, we would expect Facebook to be upfront about how people's personal information is being used," said the Information Commissioner's Office (ICO) in a statement on Thursday. "The privacy issues that this new software might raise are obvious, and users should be given as much information as possible to give them the opportunity to make an informed choice about whether they wish to use it. We are speaking to Facebook about the privacy implications of this technology."

The potential issue is whether Facebook should have explicitly informed users about the addition of the feature. Its rollout has been going on outside the US "for the last several months" without customer notification that default settings had been activated, Facebook said in a post to its blog on Tuesday.

"We're talking to Facebook to see how the software was put into play, and whether privacy implications were taken into account," an ICO spokesman told ZDNet UK.

European watchdogs

The issue will be raised in a meeting of the European privacy regulators who form the Article 29 Working Party, but no official action has been initiated, the European Data Protection Supervisor (EDPS) said on Thursday.

"The Working Party is not officially following the issue, but the technology subgroup of the Working Party will in any case be informed," said a spokeswoman for the EDPS, which oversees European data privacy.

Social-network sites should offer privacy-friendly default settings that do not allow any access to user's profile content without specific consent.

– Dutch Data Protection Authority

The Dutch Data Protection Authority (College Bescherming Persoonsgegevens), which currently chairs the Article 29 Working Party, declined to comment specifically on the case, but noted that there are general guidelines for such situations.

"Social-network sites should offer privacy-friendly default settings that do not allow any access to user's profile content without specific consent that is beyond their self-selected contacts in order to reduce the risk of unlawful processing by third parties," said a spokeswoman for the data protection authority.

Facebook on Thursday acknowledged the ICO probe and the interest from European regulators, but said it did not believe its implementation of facial recognition had any privacy implications.

"We have heard the comments from some regulators about this product feature, and we are providing them with additional information which we are confident will satisfy any concerns they will have," Facebook said in statement.

ZDNet UK understands that Facebook's position is that it is not being investigated and that it informed privacy regulators in Europe of its facial recognition technology in December, when it introduced the tool in the US.

Facebook should have been 'more clear'

Facebook has already acknowledged that it should have been "more clear" about the rollout, which has been almost global.

"When we announced this feature last December, we explained that we would test it, listen to feedback and iterate before rolling it out more broadly," said Facebook in a statement on Tuesday. "We should have been more clear with people during the rollout process when this became available to them. Tag Suggestions are now available in most countries, and we'll post further updates to our blog over time."

At present, the European Commission is examining potential changes to European data protection laws. On Thursday, the European Commission said it is not looking into Facebook facial recognition, but that new uses of social-networking technology would inform its overhaul of European data protection laws.

"It's too early to say what kind of effect [the facial recognition] will have," justice commissioner spokesman Matthew Newman told ZDNet UK. "Facebook has already backtracked and apologised. We take into account all new technologies since 1995. We need to modernise the rules."

Newman said that customers are very often not informed of new services on social-networking sites, and that often it is not clear how data is used. "Transparency is going to be a big part of the reforms," he said.

Get the latest technology news and analysis, blogs and reviews
delivered directly to your inbox with ZDNet UK's
newsletters.